lzma: fix buffer bound check error

Variable uncompressedSize references the space available, while outSizeFull is the actual expected uncompressed size. Using the wrong value causes LzmaDecode to return SZ_ERROR_INPUT_EOF. Problem was introduced in commit afca2942. While at it add additional debug message. Signed-off-by: N Antonios Vamporakis <ant@area128.com> CC: Kees Cook <keescook@chromium.org> CC: Simon Glass <sjg@chromium.org> CC: Daniel Schwierzeck <daniel.schwierzeck@gmail.com> CC: Luka Perkov <luka@openwrt.org>

lzma: fix buffer bound check error
Variable uncompressedSize references the space available, while outSizeFull is the actual expected uncompressed size. Using the wrong value causes LzmaDecode to return SZ_ERROR_INPUT_EOF. Problem was introduced in commit afca2942. While at it add additional debug message. Signed-off-by: N Antonios Vamporakis <ant@area128.com> CC: Kees Cook <keescook@chromium.org> CC: Simon Glass <sjg@chromium.org> CC: Daniel Schwierzeck <daniel.schwierzeck@gmail.com> CC: Luka Perkov <luka@openwrt.org>
4d3b8a0d · Antonios Vamporakis · Tom Rini · cddb6b83 · 4d3b8a0d
隐藏空白更改
内联并排

Showing with 4 addition and 1 deletion

lib/lzma/LzmaTools.c lib/lzma/LzmaTools.c +4 -1

未找到文件。
--- a/lib/lzma/LzmaTools.c
+++ b/lib/lzma/LzmaTools.c
@@ -102,7 +102,7 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize,
        return SZ_ERROR_OUTPUT_EOF;

    /* Decompress */
-    outProcessed = *uncompressedSize;
+    outProcessed = outSizeFull;

    WATCHDOG_RESET();

@@ -111,6 +111,9 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize,
        inStream + LZMA_DATA_OFFSET, &compressedSize,
        inStream, LZMA_PROPS_SIZE, LZMA_FINISH_END, &state, &g_Alloc);
    *uncompressedSize = outProcessed;
+
+    debug("LZMA: Uncompresed ................ 0x%zx\n", outProcessed);
+
    if (res != SZ_OK)  {
        return res;
    }